Professional Documents
Culture Documents
Sponsored by:
The “Study on the position of Spanish SMEs in the face of risks and the implementation of
Business Continuity Plans” was prepared by the following work team of the INTECO Information
Security Watchdog:
INTECO wishes to highlight the involvment in the fieldwork and research of this study and to
express thanks for sponsoring this printed edition to:
This publication belongs to the National Institute of Communication Technology (INTECO) and is under a Creative
Commons Spain 2.5. Attribution Non-Commercial license. For this reason copying, distributing and publicly disseminating
this work is permitted under the following conditions:
• Attribution: The contents of this report can be reproduced in full or partially by third parties, stating its source and
expressly referring to both INTECO and its website: www.inteco.es. This attribution may in no way suggest that
INTECO lends its support to the third party or supports the use made of its work.
• Non-Commercial use: The original material and the resulting work may be distributed, copied or shown, provided the
purpose thereof is not commercial.
In reusing or distributing the work the terms of its license must be made quite clear. Some of these conditions may not be
applicable if permission from INTECO as holder of the copyright is obtained. Nothing in this license impairs or restricts the
moral rights of INTECO. http://creativecommons.org/licenses/by-nc/2.5/es/
This document meets the PDF (Portable Document Format) accessibility conditions. It is therefore a structured, labelled
document, with alternatives for all non-text elements, set for language purposes and appropriate reading order.
For further information on the construction of accessible PDF documents please see the guide available in the relevant
section > Manuales y Guías at the website http://www.inteco.es
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 2 of 21
Information Security Watchdog
CONTENTS
CONTENTS .........................................................................................................................3
1.1 Introduction............................................................................................................4
1.2 Objectives..............................................................................................................4
2.3 Analysis of the levels of the adoption of business continuity measures or plans by
Spanish SMEs................................................................................................................12
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 3 of 21
Information Security Watchdog
1 OBJECTIVES AND METHODOLOGY
1.1 Introduction
In line with its aim to develop the Knowledge Society through projects relating to
innovation and technology, INTECO has published its Study on the level of preparation of
SMEs in the face of risks and their adoption of Business Continuity Plans.
This study emphasises the concept of Business Continuity which, in view of business
developments and national and international events, is being taken into account
increasingly in the strategic management of organisations, to the point of becoming a
necessity or at least a matter to be addressed.
Although there are numerous definitions of Business Continuity Management, they should
refer in all cases to a process aimed at identifying the potential risks threatening an
organisation and, for the purposes of prevention, at developing the ability to recover in the
face of situations entailing complete or partial interruptions to business operations.
1.2 Objectives
The overall objective of this study to analyse, on the basis of employers’ perceptions, the
levels of preparation, patterns of conduct, actual needs and main obstacles preventing the
adoption of measures, plans or strategies that enable Spanish SMEs to be better
prepared in order to guarantee the continuity of their business operations.
• Appraise the Spanish SMEs’ levels of culture and knowledge regarding business
continuity.
• Analyse the levels at which business continuity actions or plans have been adopted at
Spanish SMEs.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 4 of 21
Information Security Watchdog
Lastly, using the findings of the study, a practical guide addressed to SMEs was drawn
up, containing guidelines and advice on the design and implementation of a business
continuity plan.
The methodology used to conduct the study and to publish this report was based on
surveys (conducted face-to-face, by phone or remotely) of Spanish companies with fewer
than 50 employees and at least one computer with an internet connection and also of
providers or experts in the delivery of services geared to ensuring the continuity of
business operations.
• Types of companies from the standpoint of business continuity. 400 small and
medium companies, as well as micro-companies from all business sectors pursuant to
the 2009 National Classification of Economic Activities (CNAE-2009) responded to the
survey.
• Identification of SMEs with successful track records due to the use of good
practices in business continuity. A total of 29 organisations can be cited as
success stories, representing different situations in terms of whether or not they
adopted business continuity plans in respect of risk analysis, technological recovery
plans, implemented preventive security measures, etc.
Our contacts with these groups, together with the prior study of various publications and
reports on business continuity (at domestic and international level) enabled us both to
verify the position of the sample under study (Spanish companies) and also to put forward
possible recommendations.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 5 of 21
Information Security Watchdog
2 MAIN FINDINGS
This summary confirms what INTECO has been pointing out in several of its studies,
namely that Spanish SMEs consider that they are exposed to a large variety of security
incidents which nevertheless always include those relating to information security.
43.3% of the SMEs that took part in the survey stated that they had suffered some kind of
serious security incident in the last three months, salient of which were service failure on
the part of providers (16.3%), computer attacks (11.1%) or support system breakdowns
(air-conditioning, electricity or communication lines (8.9%) (See Graphic 1):
Considering the number and variety of the security incidents that impacted the continuity
of operations one way or another, it may be considered likely that companies will be
affected by interruptions.
Other 2,0%
This reinforces the point that you can never know what event might affect an
organisation, causing its activities to be halted, since such events largely depend on
the specific circumstances in each case.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 6 of 21
Information Security Watchdog
What were the causes that triggered the incidents?
When it came to identifying the main causes that could have triggered these security
incidents (see Graphic 2), despite the variety of responses, three reasons can be cited
(unawareness of the threat (6.9%), poor or obsolete system configuration (6.8%) and
inefficient associated prevention tools (3.1%), thereby confirming the premise that SMEs
may not be aware of the risks facing them and consequently, the measures adopted to
cater for such risks are not effective because they have an imperfect understanding of and
have not prioritised the threats they should be addressing:
I was aware of the risk but did not have the budget
0,9%
resources
Other 10,9%
Base: SMEs that have been affected by some kind of security incident (n=372) Source: INTECO
Our detailed analysis of “Other” causes indicated by the respondents showed that most of
the companies that gave this response laid the blame on a failure in service by providers
(61.1%), who in one way or another help maintain the uninterrupted continuity of business
operations.
What response measures have been adopted in the wake of the incidents?
• The organisations already have certain security measures in place. Mainly, they make
back-up copies (87.8%), acquire software or hardware (79.7%) and consult or seek
support from experts (79.2%).
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 7 of 21
Information Security Watchdog
• In the near future, SMEs intend to gain more knowledge of the business continuity
plans that can be adopted (25.4%), adopt measures to guarantee the continuity of
operations in the event of an emergency (22%) and enter into agreements with third
parties (18.9%).
• The study also revealed certain measures that the SMEs have not implemented and
do not intend to implement, such as adopting a risk management procedure (64.6%)
or hiring physical security services (64.6%).
Base: SMEs that have been affected by some kind of security incident (n=372) Source: INTECO
Based on the study, it does not appear that the surveyed companies are aware that the
continuity of their operations may depend considerably on their suppliers’ continuity
guarantees. As shown in Graphic 4, 72% of the small and micro Spanish companies
surveyed do not require their suppliers to provide any certificate or to comply with any
measures aimed at guaranteeing the continuity of their services.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 8 of 21
Information Security Watchdog
Graphic 4: Companies demanding some form of evidence/certificate/measures/plans
guaranteeing the continuity of their suppliers’ services in the event of a disaster
9,3%
18,7%
72,0%
Yes No Don't know/No answer
The most common requirements demanded by the 18.7% that require their suppliers to
meet business continuity guarantees are:
• Round the clock service, seven days a week, established in agreements with suppliers
of the most critical services or immediate response times (14.3%).
How can a degree of maturity be attained with respect to the risk management
processes that impact on business continuity?
The best way to adopt security strategies in line with the needs and actual situation of
companies is to base them on an understanding of the risks that threaten the continuity of
their business processes:
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 9 of 21
Information Security Watchdog
From our initial analysis of the responses, 38.3% of the surveyed companies have a
management process in place which they use on a periodic basis to address the risks that
could affect the continuity of their operations, thereby demonstrating, at the outset, a
certain level of concern and proactive approach (see Graphic 5).
Graphic 5: Companies carrying out some kind of action aimed at addressing continuity
risks (%)
4,6%
16,1%
16,8%
71,2%
24,2%
38,3%
No
Don't know/No answer
Yes, but only occasionally and when the budget and workload permit
Only rarely
Yes, we have an optimised process, managed and reviewed regularly
What are the maximum interruption times that can be tolerated by SMEs?
In order to analyse the appropriateness of the security measures in place and the actual
continuity needs required by the various activity sectors, our aim was to identify, with the
SMEs surveyed in the study, the maximum time of inactivity, in the event of an
interruption, that could be borne without this having a serious impact on their finances,
operations or the company reputation (see Graphic 6).
Irrespective of the industry in question, 35.8% of the companies stated that they could not
allow their key activities to be halted, thereby underlining the critical importance of
adopting business continuity plans at any kind of SME.
Similarly, only 17.5% of the small and micro Spanish companies surveyed could tolerate a
standstill in their activities for more than five days without this having a serious effect on
the company.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 10 of 21
Information Security Watchdog
Graphic 6: Maximum time for business activity interruption at SMEs
100%
80%
60%
40% 35,8%
22,6%
20% 17,5%
11,7% 12,5%
0%
Immediately More than 12 hours More than 24 hours More than 48 hours More than 5 days
Our appraisal of the findings regarding the level of knowledge of the business continuity
culture revealed, especially, the difficulties organisations had with gaining a clear grasp of
the key concepts in this connection.
Although 33% of the SMEs claimed to be familiar with the concepts of business continuity,
only 21.7% of these really knew the difference between the terms “Business Continuity
Plan” and “Disaster Recovery Plan” (see Graphic 7).
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 11 of 21
Information Security Watchdog
Graphic 7: Companies familiar with business continuity concepts (%)
6,0%
12,5%
3,8%
33,0%
61,0%
16,7%
No
Don't know/No answer
Yes, absolutely
Yes, we have them for business management purposes but I am not fully familiar with them
I have only a vague idea, I have heard of them occasionally
These levels of knowledge and training in the subject are indicators that can be compared
with the findings of other studies at international level which reflect the lower interest in
and awareness of business continuity-related matters shown by Spanish SMEs.
• The highest level of knowledge was found at companies in the professional, scientific
and technical sectors (31.8%), and those engaged in technological activities (18.2%),
whereas companies in the education, healthcare or social services sectors showed
greater deficiencies in this respect.
• No quantitative differences in the levels of knowledge of SMEs were noted when the
analysis focused on the size of companies
As shown by the findings of the study, regarding the issue of business continuity, Spanish
SMEs are characterised by a general unawareness of what business continuity is and its
importance in their day-to-day operations.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 12 of 21
Information Security Watchdog
Which companies have defined some form of business continuity strategy?
The study concluded that 38.4 % of the SMEs stated that they had some form of strategy
that focused on ensuring the continuity of their business in the event of an incident or a
disaster. This group includes both companies that had defined strategies for the continuity
of their operations (16.7%) and those that had procedures in place solely to ensure
recovery on a technological level (21.7%).
4,3%
16,7%
38,4%
57,3%
21,7%
There are various reasons why companies lack a formal plan, arising, to a large extent,
from difficulties or obstacles when it comes to the development and implementation of the
strategy. The fact that they consider the likelihood of a crisis or disaster occurring to be
remote, or lack the time, resources and/or budget are some of the obstacles highlighted
by SMEs in this respect. Similarly, a lack of knowledge and experience of the subject
means that a large percentage of the companies that adopt continuity measures decide to
resort to external support and assistance for some of the plan’s development phases
(42.4%).
What are the reasons behind the implementation of business continuity plans?
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 13 of 21
Information Security Watchdog
Graphic 9: Main reasons for the implementation of business continuity plans
Alignment with the main industry security standards 17,4% 23,1% 15,5% 26,3% 17,8%
In the event of possible pandemics (swine flu) 57,7% 28,9% 3,5% 8,9%1,0%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
(1) Not at all important (2) Not very important (3) Important (4) Quite important (5) Very important
What are the reasons for SMEs’ lack of business continuity measures?
Certain conclusions can be drawn from an analysis of the reasons put forward by SMEs
for not having business continuity measures (see Graphic 10):
In short, they have an incorrect perception of the risks or threats to which they may be
subject and of the likelihood of a contingency arising which, if it is not dealt with in
time, could become a serious issue.
• Lack of funds and budgetary resources to cover the necessary measures (15.1%).
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 14 of 21
Information Security Watchdog
Graphic 10: Reasons why companies do not implement continuity plans
Other 10,0%
What is the demand for external advisory services for the development of business
continuity strategies?
As shown by the study, it must be remembered that the majority of the companies taking
part have neither the knowledge nor necessary experience to deal with processes of this
nature, nor the objectivity and independence required to identify the company’s critical
resources and processes.
Accordingly, nearly half of the SMEs (44.4%) that have undertaken business continuity
programmes have needed external advisory services (see Graphic 11).
Conversely, 49.2% have their own technical resources, knowledge, etc. to tackle the
response actions to be implemented in the event of an interruption to services.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 15 of 21
Information Security Watchdog
Graphic 11: Companies that required external advisory services to deal with business
continuity programmes (%)
6,4%
44,4%
49,2%
Unlike SMEs, large Spanish companies have more means, more resources and, above
all, a greater level of awareness to comprehend that the adoption of business continuity
plans is critical for an organisation.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 16 of 21
Information Security Watchdog
Graphic 12: Comparison of the level of business continuity plan implementation
100%
81,1%
80%
60% 57,3%
38,4%
40%
18,9%
20%
4,3%
0,0%
0%
Yes No Don't know/No answer
Base: total SMEs (n=400) and large companies (n=253) Source: INTECO
The situation of SMEs is drastically different as they must focus on day-to-day production
and so the task of keeping their business activity ‘afloat’ and surviving in the business
world becomes their main goal. This prioritisation of objectives means that other important
matters, such as continuity management, are forgotten or, at least, take a back seat.
Part of this study focussed on SMEs which do currently have some form of successfully
defined continuity strategy or plan. The 29 organisations chosen as a sample in this
section were asked about any key factors or good practices that they had to develop in
order to effectively implement their measures and the benefits linked to their
implementation.
In line with the main standards in the field, SMEs concur that the following are good
practices that aid the development of continuity measures from a strategic, tactical and
operational standpoint:
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 17 of 21
Information Security Watchdog
• Definition of the critical systems and applications within the scope.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 18 of 21
Information Security Watchdog
CONCLUSIONS AND RECOMMENDATIONS
There is a general lack of awareness amongst Spanish SMEs of the multitude of risks
they face, the probability that they will occur and the consequences that they can cause.
This mistaken view of the risks leads companies to unwittingly accept them and adopt a
predominantly reactive position, i.e. only when they suffer serious security incidents do
they show an interest and become willing to improve the resistance of their operations.
In this situation, there is a clear need for business continuity plans in order to minimise the
impact of serious disruptions to business operations.
• The cost/benefit ratio does not appear to be favourable to the business owner. The
mistaken opinion that ‘nothing ever happens’ leads to the idea that continuity is an
unnecessary expense.
• Lack of knowledge and the need to use external specialists to advise on the
implementation of measures result in increased costs.
In light of this, a specific boost needs to be given to the introduction of support services for
the implementation of business continuity plans for SMEs, including, for example:
• Training aimed at creating interest and concern at SMEs and knowledge of the risks
they face.
• An SME-specific service offering covering all the areas of the business continuity plan
(technology, operations, management, financial, legal and logistics services, etc.).
• Greater awareness and effective tools enabling SMEs to calculate the cost/benefit
ratio in order to better prioritise available resources and determine investments.
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 19 of 21
Information Security Watchdog
INDEX OF GRAPHICS
Graphic 1: Security incidents affecting SMEs in the last three months ............................... 6
Graphic 5: Companies carrying out some kind of action aimed at addressing continuity
risks (%) .............................................................................................................................10
Graphic 8: Companies with some form of business continuity strategy (%) ...................... 13
Graphic 9: Main reasons for the implementation of business continuity plans .................. 14
Graphic 10: Reasons why companies do not implement continuity plans ......................... 15
Graphic 11: Companies that required external advisory services to deal with business
continuity programmes (%) ................................................................................................ 16
Graphic 12: Comparison of the level of business continuity plan implementation ............. 17
Spanish SMEs in the face of risks and the implementation of Business Continuity Plans Page 20 of 21
Information Security Watchdog
www.inteco.es
www.deloitte.es
http://observatorio.inteco.es